1. Technical Field
The present disclosure relates to detecting rogue network traffic and more specifically to analyzing network flow statistics to determine cause of unexpected packet loss or unexpected classification of packets as drop eligible.
2. Introduction
Due to the consistent growth of Internet and other network traffic, network administrators face a constant need to increase the bandwidth available while also managing network resources as optimally as possible. Increases in bandwidth have, to date, been largely accomplished with hardware upgrades, such as converting from analog modems to Ethernet cards and usage of fiber optic connections in place of pre-existing telephone connections. Efficient management of network resources often occurs in part through use of Differentiated Services, a networking architecture used to classify forms of network traffic. Network traffic utilizing Differentiated Services receives differentiated services code point markings identifying the traffic as belonging to pre-defined Class of Service queues, such as an audio queue and a video queue. Each queue can have a pre-defined bandwidth, with service rules establishing the priority of each queue and the consequences of exceeding the bandwidth. A flow collector collects statistics associated with traffic having differentiated services code point markings, at which point network administrators can monitor both overall network traffic as well as the traffic of the individual queues.
Despite this capability, the sheer amount of statistics means that looking for answers as to why signal distortion occurs can be like searching for a needle in a haystack. A common problem network administrators attempt to solve is the reason for audio packet loss. Service level agreements are often designed to give audio packets an absolute priority up to an agreed limit known as the audio CDR (Committed Data Rate). Should the audio queue bandwidth exceed the agreed upon CDR, the audio packets will simply be dropped without warning or recourse. Accordingly, it is important to monitor and plan traffic to ensure the packets placed in the audio queue will not exceed the CDR. Because network and traffic conditions evolve so rapidly, automated communication managers utilize a call admission control mechanism to analyze current and future traffic conditions, using that analysis to plan when specific packets of data will be communicated with the goal of not exceeding the CDR.
However, call admission control mechanisms only work to the extent that they are aware of packets appropriated to be in the audio queue. If a rogue application marks packets as belonging in the audio queue, but fails to send that information to be analyzed by the call admission control mechanism, the CDR can be exceeded and packets dropped. Similarly, an intermediate entity other than a source of traffic can be a rogue in that such an entity can misclassify packets into an incorrect queue. Video and other designated queues can suffer from similar vulnerabilities, but rather than dropping these packets they are often classified as out-of-contract by the service level provider and are drop eligible. To discover the cause of lost audio packets continues to require a difficult search through the data logs to discover the cause of the lost packets and/or packets which are drop eligible.